Welcome to this week’s Threat Source newsletter. 

I love a Spielberg summer. His ability to imbue a sense of wonder, awe, curiosity, and connection means he’s in a league of his own. Granted, I haven’t felt that from him in a while, but when he hits? Oof. I feel like I need somebody to reach across and take off my sunglasses. 

So, Disclosure Day then. A group of friends and I visited a thankfully packed-out cinema at the weekend to bear witness to Spielberg’s latest dalliance with extra-terrestrial beings. 

Thar be no spoilers here, but I do want to touch on one of the film’s central themes: the idea that a group of people (let’s call them “the government”) believes they can predict how humanity will react to world-changing information based on historical data patterns. 

We often assume that information influences behaviour. Surely, if people have the right information, they'll make the right decision? If people understand the risk, they'll act. 

However, the older I get, the less convinced I am that human beings are rational creatures. 

Organisations know they should patch. People know they should use MFA. Leaders know they should practice an incident before it happens for real. 

And yet. 

Life is messy. Life, uh, finds a way. 

Most people aren't making decisions in a vacuum. They need to contend with limited budgets, workloads, competing business priorities, and a hundred other things demanding their attention. "Knowing" what they should do is the easy part. The hard part is finding the time, resources, urgency, and collective will to actually do it. 

As one of my colleagues recently wrote, even in a post-Mythos world, many of the controls most likely to protect organisations are the same ones we've been talking about for years. Segmentation. Backups. MFA everywhere. Understanding if your controls are doing what they’re supposed to be doing.  

And people can react to the exact same situation in very different ways. 

Take the film itself. One of my friends remarked on the way out, "What a load of twaddle." (Do you use "twaddle" much in the U.S.? If not, I recommend introducing it into more sentences.) Another friend thought it was entertaining, exciting, and thought-provoking. 

As Colin Firth’s character finds out in Disclosure Day, humans don’t always react the way you expect them to. I think that’s so important to acknowledge and work with, rather than against, in the cybersecurity field. Information is only one piece of the puzzle. Experience, priorities, personality, context, and a hundred other factors shape how people interpret and respond to that information. 

So, this message probably won’t land with 99% of you. But for the 1% that it might, go ahead and do that MFA install you’ve been putting off.  

Also, you’re running low on milk. Best pick some up on your way home.

The one big thing 

Cisco Talos detailed a new approach to reverse engineering that pairs local AI agents with traditional analysis tools like the VB6 disassembler vbdec. Instead of awkwardly bolting AI onto the software, vbdec exposes its parsed data through a live Component Object Model (COM) interface. Analysts can simply use natural language prompts to automate complex tasks like decompiling functions or building call graphs. This transforms the disassembler from a static viewer into a highly interactive, queryable data server. 

Why do I care? 

This methodology empowers analysts to generate custom workflows on the fly, completely bypassing the wait for new vendor features. It also solves a massive privacy hurdle: because the AI agent and disassembler share a local machine, sensitive binaries never leave your workstation. This architectural shift proves that any analysis tool holding structured data behind a GUI can become a powerhouse for agentic automation, saving defenders countless hours of tedious reverse engineering. 

So now what? 

Tool developers should start exposing their application data through external scripting interfaces like COM or other inter-process communication (IPC) protocols. If you are analyzing VB6 binaries, enable remote scripting in vbdec and point your preferred local AI agent at the provided operator briefing to start automating your tasks. Security teams need to lean into this paradigm shift, letting agents handle the exhaustive, repeatable grunt work while analysts focus on the actual analysis. Read the blog for more.

Top security headlines of the week 

ShinyHunters claims Council of Europe hack 
On Sunday, ShinyHunters added the Council of Europe to its Tor-based leak site, threatening to release more than 297GB of data allegedly stolen from the organization’s network. (SecurityWeek) 

Sweeping credential-harvesting heist compromises +30K Fortinet devices 
A large-scale cyber espionage and credential-harvesting operation is actively targeting Fortinet firewalls and VPN gateways, and has already compromised more than 30,000 Internet-facing devices across nearly 200 countries. (Dark Reading) 

Fileless Phantom Stealer targets browser credentials 
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to evade detection. (Dark Reading) 

Bug in FIFA World Cup internal system gave anyone ability to modify TV stream 
A security researcher said she was able to access several internal FIFA platforms due to a simple security flaw, which allowed her to watch and have full control of the TV stream of every World Cup game. (TechCrunch) 

The FBI built its own replica small town to simulate real-world cyber attacks 
Dubbed the Kinetic Cyber Range, the FBI’s small purpose-built town opened in February 2025 and features fully furnished houses, a hotel, a gas station and grocery mart, a courthouse, a hospital, roads, traffic lights, and a power company designed to mimic a real U.S. community. (TechCrunch)

Can’t get enough Talos? 

Patching in the dark: Managing unknown threats in complex environments 
If you're tired of being told to "just patch," we understand. In this episode of Talos Takes, Amy and Pierre explore the logistical, technical, and business realities that make patching a complex, high-stakes operation rather than a simple button click. Here are the things defenders often miss that build true resilience in organizations. 

Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting 
Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds. 

Winning the cyber marathon with Tony Giandomenico 
In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins Amy to discuss Talos Threat Hunting, the challenges of leading major product launches, and the grueling discipline of Ironman triathlons.

Upcoming events where you can find Talos 

• Black Hat USA (Aug. 1 – 6) Las Vegas, NV 
• DEF CON 34 (Aug. 6 – 9) Las Vegas, NV 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
Example Filename: f_000cd7.html 
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: SECOH-QAD.exe  
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
MD5: dbd8dbecaa80795c135137d69921fdba  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba
Example Filename: u992574.dll  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201

The problem with VB6 binaries 

VB6 binaries are laid out as a complex file format with embedded metadata. Recovering advanced data embeddings means reimplementing VB6s’ internal file format: the VB header, the object table, and the P-code layout. This is a highly specialized task that takes dedicated tools to do accurately, but not every tool exposes an equivalent programmatic library. The technique in this blog shows how AI agents can automate existing tools and reach deep into the result set.

The recipe 

The whole technique comprises three pieces. Any one of them in isolation is interesting, but together they are a new working mode. 

The live model 

vbdec does not keep its parsed model locked behind its GUI. When a binary is loaded and remote scripting is enabled (Help → Options → Enable Remote Scripting), vbdec registers its central CVBProject object and its main form in the Windows Running Object Table (ROT) under the monikers vbdec.vbp and vbdec.frmMain. The ROT is a system-wide directory of live Component Object Model (COM) objects; any process can look an object up by moniker and receive a reference to the running instance. From a script, that is a single line:

Set o = GetObject("vbdec.vbp")

The variable o can now access the entire parsed project: every form, class, module, declared API, P-code body, control, and string, presented as a navigable object graph. The script is driving the disassembler itself. 

Note: For VB6 host applications in particular, this capability can even be forcefully added without source code access.

The contract 

A live model is useless to an agent that does not know its shape. vbdec now includes an AI agent support package that helps bridge this gap. The first is the operator briefing (“_claude_vbdec_ai_instructions.txt”) — a short markdown file that tells the agent what vbdec is, how to bind to the ROT, and how the object model is shaped. The second is the proto folder — 90 auto-generated class definitions covering every public class and form vbdec exposes. The agent treats these as the authoritative reference for member names and types. (The original IntelliSensesupport files were also usable for this task.)

The local agent 

The third piece is the agent. In this blog, Talos used Claude Code, run locally on the workstation. The user opens a terminal, points the AI at the briefing and prototypes, and simply describes what they would like analyzed. Claude Code then runs multiple .vbs files with cscript and explores the data through iterations. There is no preselected AI integration embedded in vbdec, no upload for the analyst’s binary, and no glue to be maintained as a separate codebase. The agent and disassembler share a machine and file system; analysis occurs locally, with only the model inference requests leaving the workstation.  

Whatever capability the agent adds next extends vbdec without any new code in the tool itself, and users are free to select whichever model they prefer.

What the analyst actually does 

Next are a couple examples tested against a P-code version of PDFStreamDumper.

Decompile a function 

The analyst names a function and asks for a source code reconstruction. The agent pulls the P-code, walks the VB-VM opcode stream, maps each construct to its VB6 equivalent, and produces a source level equivalent with inline comments.

The reconstruction is not byte-identical, but the control flow is substantially recovered with agent comments added in. It is also interesting to note that the AI went into the subfunctions on its own, determined their purpose, and gave them reasonable names to complete its task decompiling the parent. This is usable reverse-engineering output that a human would spend substantial time producing, now scalable and generated in seconds.

Build a call graph 

The analyst picks a function and asks for its callees as a Graphviz DOT file. The agent walks each CCodeBody.Disasm, picks out the call opcodes (ImpAdCallI2, VCallHresult, LateMemCall, and others) and emits the DOT graph with depth tracking.

Dump every function to SQL 

To test a real automation-heavy use, the agent was next asked to enumerate every function in the binary and dump stats to a SQLite database including address, size, module, instruction count, callees, and external API calls. The agent did this in a single cscript pass over o.CodeObjects, classifying calls with the same rules used in the graph task. For PDFStreamDumper the result is a 600+-row database. Now the database can be explored with simple queries such as:

SELECT display_name FROM functions WHERE api_calls LIKE '%RtlMoveMemory%';

The binary has been transformed from something you must click through into something you can simply query. Whole-program questions that would be impractical by hand become single-line requests.  

The three tasks above — decompile, graph, export — used to be features that a tool vendor would have to design, build, and ship as menu items. They are now prompts a user can add on themselves. The capability surface of the tool has decoupled from the feature list of the tool.

Build an opcode reference database 

The same recipe scales beyond single analyses to producing reference data. In the next example the agent was tasked with building a complete opcode database for the VB6 P-code interpreter (MSVBVM60.dll; 1,165 dispatch slots). Two tools were coordinated. Vbdec was again used over the ROT to search and analyze actual examples of every opcode from a real binary (PDFStreamDumper). The results were then bolstered utilizing the idalib MCP server to read the actual runtime handler functions in VB runtime itself to verify what each opcode does at the dispatch level. 

The results were combined into a SQLite database that includes operand decoding, handler-verified semantics, alias relationships, corpus statistics, and written descriptions for every opcode. Resources such as this could now be fed back into AI agents to produce better P-code decompilation. This corpus of knowledge would be impractical to build by hand, yet was agentically synthesized in a matter of hours.

Application testing

The same mechanism can also be used to test the outputs of the tool itself. An agent pointed at the briefing and prototypes will exercise the real COM surface against actual data. With COM in particular this means there is no mock, no proxy, and no UI automation layers to debug in between.  

Method signature drift, type regressions, malformed objects, edge-case P-code, missing members are all easily exposed. The proto files and the briefing get tested alongside the API implementation itself.

What this makes possible 

This design pattern generalizes cleanly. Any analysis tool that publishes its internal model to the ROT and ships an operator briefing with prototypes can become a substrate for local agentic automation. The interactive GUI remains available for exploration; the agent handles everything that benefits from being repeatable, exhaustive, or fast. 

The architectural move is the part worth carrying away. The author of an analysis tool that holds structured data behind a UI does not have to predict the analyses their users will want.  

Publish the model, write the briefing, and hand the keys over to the user. Every user wish list idea now collapses into the same answer: Ask the agent. Tedious analysis can be easily automated.  

The local part is valuable as well. Sensitive binaries do not leave the analyst’s machine. There is no API key in the product and there is no service that can be discontinued. The agent is whichever agent the analyst already has. The contract between agent and tool is text files on a file system.

Conclusion 

While analysis tools commonly include internal scripting, exposing the application to external automation is what opens them to AI agents. ROT-published COM objects are well-suited to this because they are language-agnostic, process-agnostic, synchronous, and discoverable. Turning the analysis tool into a data server has additional benefits, such as allowing repeat query sessions without itself having to reload and reparse the data set.  

While the specific design in this paper was COM-based, any IPC communication protocol could be used. COM and IDispatch are particularly useful here because they are inherently scriptable without requiring additional marshaling or synchronization layers.  

Another aspect of this design that is easy to overlook is the utility of having a full GUI for data exploration at the forefront. Data can be explored and verified manually and then scripts written against it for bulk operations. While plugin frameworks have been the traditional solution to automation needs, plugin development is generally quite bulky in practice and often bound to a specific program version.

With this paradigm, the disassembler stops being a place you look at a binary, and becomes a service you ask questions of.

Welcome to this week’s edition of the Threat Source newsletter. 

To the surprise of absolutely no one who has seen my face, I’m one of the younger employees at Talos. As my industry veteran colleagues were buying the first iPods, navigating the switch from dial-up to broadband, saying goodbye to floppy disks, and making Myspace accounts, I was playing with my Password Journal and Friend Chips. It’s a funny contrast, but I still experienced the beginning of the “always-on” era. 

Ah, those were the days. One of my most vivid tech memories is begging my dad to play games on his Handspring Visor — a classic personal digital assistant (PDA) launched in late 1999 by Handspring, a company formed by the original creators of the PalmPilot. Handspring stopped producing the Visor line in 2002 and it eventually became obsolete, mostly because its desktop sync feature couldn't keep up with modern OS updates. Despite the tech debt, I spent hours playing Asteroid, Centipede, and Hardball (aka Breakout) on that thing. My dad, meanwhile, mostly used the Memo function to store his passwords... which he still does today. (Yeah, I’m still working on getting him to see the wonders of 1Password.) 

You might be wondering what made me reminisce on childhood toys. A few weeks back, my fiancée and I drove a few hours to visit my family. Even if we get in at 9:00 p.m., it’s tradition for us to stay up late eating pizza and talking about random stuff. 

We got on the topic of phones because my parents still have a landline, and I mentioned that walkie talkies were my first introduction to having my own personal device. My dad dug some old ones out, set them on the table, and put them on scan while we chatted.  

At some point, the conversation petered out just when the walkie talkie captured a channel. Radio static, and then a kid’s voice broke our silence: “Your butt crack is out.” 

My dad got an impish grin and brought the talkie up to his mouth. My mom pleaded, “No. Honey, no. Don’t.” The rest of us were already wheezing and crying. 

He pressed the talk button and, in his best crotchety old man voice, bellowed, “Hey, you kids. Get off my lawn!” 

Imagine being those poor kids. It’s a funny story, but if you don’t want people like my dad intercepting your comms, maybe stick to encrypted channels. 

The one big thing 

Talos' Yuri Kramarz published a blog highlighting how AI-driven vulnerability discovery has completely outpaced human patching capabilities. With frontier AI models autonomously discovering and exploiting zero-days in minutes, the traditional vulnerability lifecycle has completely collapsed. To survive this hyper-accelerated threat environment, organizations must abandon patch-reliant strategies and embrace a three-stage fallback model built on foundational security principles. 

Why do I care? 

Speed is the new, terrifying multiplier in the traditional risk equation. When an AI can uncover a decades-old zero-day and write an exploit for it in minutes, relying solely on vulnerability management is a losing game. Defenders must accept that some exploitation will inevitably slip through the cracks. The true measure of security is no longer just prevention, but how well your environment can absorb, detect, and survive the initial blow. 

So now what? 

Stop treating security basics like optional compliance checkboxes. Enforce multi-factor authentication (MFA) everywhere, harden devices using CIS benchmarks, and implement strict network segmentation to limit an attacker's blast radius. Since hardened systems only slow attackers down, deploy behavioral-based EDR, NDR, and XDR to catch the post-exploitation activity that signatures miss. Finally, validate these controls through penetration testing and purple team exercises so your incident response playbooks become muscle memory, not just wishful thinking. Read the full blog for more. 

Top security headlines of the week 

CISA gives U.S. federal agencies three days to fix a VPN bug under attack by Qilin 
Check Point Software said the bug affects several of its remote access tools, firewalls, and VPNs, which act as digital gatekeepers to protect company networks from unauthorized access. (TechCrunch) 

Anthropic launches Claude Fable 5: Mythos-class AI with cybersecurity guardrails  
The AI giant says this marks the first time a model of this capability class has been deemed safe enough for widespread public and developer access. (SecurityWeek) 

Microsoft fixes two high-severity zero-days disclosed by researcher 
The vulnerability is a local privilege escalation, meaning it can be chained to a separate vulnerability to give users or processes with low-level privileges the ability to defeat OS protections and gain full SYSTEM rights needed to install malware. (Ars Technica) 

WhatsApp catches spyware firm NSO defying no-hacking court order 
According to WhatsApp, the spyware maker has violated the permanent injunction. The messaging app reported on Monday that it had recently learned of a social engineering attack that attempted to trick users into clicking on malicious links. (SecurityWeek) 

High-severity vulnerability in Linux caused by a single faulty character 
The presence of a single mis-issued exclamation point in code implementing nf_tables introduced a use-after-free, a class of vulnerability that corrupts memory by placing malicious code at memory addresses that haven’t been properly freed of their previous contents. (Ars Technica) 

Can’t get enough Talos? 

Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting 
Learn how Cisco Talos Threat Hunting uses hypothesis-driven methods and multi-domain telemetry correlation to find stealthy threats operating below automated detection thresholds. 

Winning the cyber marathon with Tony Giandomenico 
In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins me to discuss Talos Threat Hunting, the challenges of leading major product launches, and the grueling discipline of Ironman triathlons. 

When synthetic logs don’t lie: Generating coherent attack stories for better detection 
Are your detection rules failing because your test data lacks the nuance of a real-world network?  In this episode of Talos Takes, Amy sits down with David Bianco to discuss why traditional synthetic data often falls short and how his new open-source project, EvidenceForge, is changing the game. 

Upcoming events where you can find Talos 

• Cisco Connect Germany (June 16) Frankfurt, Germany 
• Black Hat USA (Aug. 1 – 6) Las Vegas, NV 
• DEF CON 34 (Aug. 6 – 9) Las Vegas, NV 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe 
Detection Name: Win.Dropper.Miner::95.sbx.tg** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe  
Detection Name: Win.Tool.Procpatcher::1201 

Microsoft has released its monthly security update for June 2026, which includes 206 vulnerabilities affecting a range of products, including 32 that Microsoft marked as “critical”. 

Out of 32 "critical" entries, 28 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Windows Active Directory, Windows Kerberos Key Distribution Centre (KDC), Windows Graphics component, Windows Remote Desktop client, Windows Deployment Services (WDS), DHCP Client service, Windows Hyper-V, Windows Kernel and Media, Azure Kubernetes Service (AKS), Microsoft Office, Microsoft Outlook, Microsoft Word, Microsoft SQL server and Windows HTTP Protocol Stack. 

Talos highlights 4 critical vulnerabilities as Microsoft has determined that their exploitation is “more likely:” 

CVE-2026-42985 is a critical Remote Code Execution Vulnerability due to Heap-based buffer overflow in Remote Desktop Client which allows an unauthorized attacker to execute code over a network. 

CVE-2026-47291 is a critical Remote Code Execution Vulnerability due to Integer overflow or wraparound in Windows HTTP Protocol Stack (http.sys). An unauthenticated attacker could exploit this vulnerability by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. 

CVE-2026-44803 and CVE-2026-44812 are critical Remote Code Execution Vulnerability in the Windows Graphics component. This vulnerability is due to Integer overflow or wraparound in Windows Win32K – GRFX subsystem (graphics component). An unauthorized attacker, exploiting this vulnerability can execute malicious code locally. 

Talos highlights 23 critical vulnerabilities as Microsoft has determined that their exploitation is “less likely:” 

CVE-2026-42992, CVE-2026-44799, CVE-2026-44801, CVE-2026-47289 and CVE-2026-48563 are critical Remote Code Execution Vulnerability due to Heap-based buffer overflow in Windows Remote Desktop Client allows an unauthorized attacker to execute code over a network. Successful exploitation of this vulnerability necessitates that an attacker takes additional steps to prepare the target environment before exploitation. In the case of a Remote Desktop connection, an attacker who controls a Remote Desktop Server could initiate a remote code execution (RCE) on the machine when a victim connects to the attacking server using the vulnerable Remote Desktop Client. 

CVE-2026-45607, CVE-2026-45641 and CVE-2026-47652 are critical Remote Code Execution vulnerabilities in Windows Hyper-V that arise from Out-of-bounds reads, which enable an unauthorized attacker to execute code locally. This vulnerability necessitates that an authenticated attacker on a guest virtual machine (VM) sends specially crafted file operation requests to hardware resources within the VM which could result in remote code execution on the host server. 

CVE-2026-45657 is a critical use after free vulnerability in Windows Kernel which allows an unauthorized attacker to execute malicious code over a network. An attacker could exploit this vulnerability by sending specially crafted network traffic to a vulnerable Windows system. With the successful exploitation attempt, the malicious network packets could trigger a flaw in how the Windows kernel processes certain TCP/IP data, potentially allowing the attacker to run code with system-level privileges without needing to sign in or interact with a user. 

CVE-2026-48574 is a critical Remote Code Execution vulnerability in Windows Media due to Heap-based buffer overflow which allows an unauthorized attacker to execute the malicious code locally.  

CVE-2026-42987 is a critical Remote Code Execution vulnerability in Windows Deployment Services (WDS). This vulnerability is due to the use after free flaw in Windows Deployment Services and an unauthorized attacker, exploiting this vulnerability, can execute malicious code over a network.  

CVE-2026-44815 is a critical Remote Code Execution vulnerability due to the Stack-based buffer overflow in Windows DHCP Client which allows an unauthorized attacker to execute code over a network. An authenticated user could exploit this vulnerability by sending specially crafted network traffic to a server configured for use as a Dynamic Host Configuration Protocol (DHCP) Server. 

CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 are critical Remote Code Execution vulnerabilities in Microsoft Outlook and Word, caused by the access of resources using an incompatible type ('type confusion') in Microsoft Office. The exploitation of these vulnerabilities allows an unauthorized attacker to execute malicious code locally. Microsoft states that the attack vector is the preview pane of Outlook (classic), and this vulnerability can be exploited when rendering emails in Outlook (classic), as the email rendering in Outlook (classic) utilizes Microsoft Word functionality, where this vulnerability exists. 

CVE-2026-45461, CVE-2026-45463, CVE-2026-45472 and CVE-2026-45474 are critical Use after free flaw in Microsoft office when exploited, allows an unauthorized attacker to execute malicious code locally. 

CVE-2026-45476 is a critical Elevation of Privilege vulnerability in Microsoft Azure Network Adapter. The vulnerability is due to use after free flaw in Linux MANA Driver. An attacker who already has control of the host environment could trigger the flaw in the guest driver that mishandles memory. This could allow the attacker to read sensitive information from the guest and potentially use that access to gain higher privileges within the guest system. 

CVE-2026-44810 is a critical Improper authentication flaw in Windows Cryptographic Services, when exploited, allows an unauthorized attacker to elevate privileges locally. Microsoft states that, to exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message and then convince them to open the specially crafted file. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. 

CVE-2026-47644 is a critical information disclosure vulnerability due to the Improper neutralization of special elements in output used by a downstream component('injection') in Copilot Chat (Microsoft Edge). Exploiting this vulnerability allows an unauthorized attacker to disclose information over a network. 

CVE-2026-26142 is a remote code execution vulnerability due to deserialization of untrusted data in Nuance Powerscribe. Exploiting this vulnerability could allow an attacker to execute code over a network. 

Talos also highlights 6 critical vulnerabilities as Microsoft has determined that these are unlikely exploited.  

CVE-2026-32193 is a critical Remote Code Execution Vulnerability in Azure Kubernetes Service (AKS) due to Improper limitation of a pathname to a restricted directory (path traversal). An exploitation of this vulnerability allows an authorized attacker to execute the malicious code locally.  Microsoft states that this vulnerability can be exploited by an attacker who can run an untrusted container configured with host Network could send specially crafted requests to a host level service that was not intended for unauthenticated access. This action could allow the attacker to break out of the container and gain control of the AKS worker node. 

CVE-2026-45648 is a critical Remote Code Execution Vulnerability in Windows Active Directory Domain services due to a Stack-based buffer overflow flaw in Active Directory Domain services. An authorized attacker who exploits this vulnerability could execute the malicious code over a network.  

CVE-2026-47288 is a critical Remote Code Execution Vulnerability in Windows Kerberos Key Distribution Center (KDC) due to the Integer overflow or wraparound in Windows Kerberos, when exploited, allows an authorized attacker to execute malicious code over an adjacent network. 

CVE-2026-47654 is a critical Remote Code Execution Vulnerability in Remote Desktop Client due to the Heap-based buffer overflow flaw which when exploited allows an unauthorized attacker to execute malicious code over a network. 

CVE-2026-33828 is a critical Elevation of Privilege Vulnerability in Windows Device Health Attestation (DHA). This vulnerability is due to the trust boundary violation in Windows Attestation which when exploited, allows an authorized attacker to elevate privileges locally. 

CVE-2026-45460 is a critical Information disclosure vulnerability in Microsoft Office due to a buffer over-read flaw which when exploited allows an unauthorized attacker to disclose information locally. 

Talos also shares few other critical vulnerabilities where Microsoft had mentioned that their exploitation status is unknown or not applicable.  

CVE-2026-48567 is a critical elevation of privilege vulnerability in Azure HorizonDB. This vulnerability arises from an authentication bypass through spoofing in Azure HorizonDB. An unauthorized attacker exploiting this vulnerability can elevate their privileges over a network. 

CVE-2026-48579 is a critical information disclosure vulnerability in Microsoft Exchange Online caused by improper authorization. An unauthorized attacker exploiting this vulnerability could disclose information over a network. 

CVE-2026-45497 and CVE-2026-42824 is a remote code execution vulnerability in Microsoft M365 copilot due to improper neutralization of special elements used in a command (‘command injection’). An unauthorized attacker exploiting this vulnerability could execute code over a network.  

CVE-2026-47655 is a critical information disclosure vulnerability in Microsoft Graph that allows an authorized attacker to expose sensitive information to an unauthorized actor over a network. 

Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"   

• CVE-2026-42905: Windows DWM Core Library Elevation of Privilege Vulnerability 
• CVE-2026-42980: NT OS Kernel Elevation of Privilege Vulnerability 
• CVE-2026-42986: Microsoft Graphics Component Elevation of Privilege Vulnerability 
• CVE-2026-42989: Winlogon Elevation of Privilege Vulnerability 
• CVE-2026-45481: Microsoft SharePoint Server Spoofing Vulnerability 
• CVE-2026-45586: Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability 
• CVE-2026-45658 and CVE-2026-50507: Windows BitLocker Security Feature Bypass Vulnerability 
• CVE-2026-47634: Microsoft SharePoint Server Spoofing Vulnerability 
• CVE-2026-49160: Windows HTTP Protocol Stack (http.sys) Denial of Service Vulnerability  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.    

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.    

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 66572-66577, 66581,66589,66590,66594,66595, 66601-66604 

The following Snort 3 rules are also available: 301523-301525, 301527-301529, 301531, 301532. 

Welcome to this week’s edition of the Threat Source newsletter. 

Howdy friends, and hello from Cisco Live U.S., here in sunny (and very hot) Las Vegas!  

An interesting quirk of being sent to one of these events is you learn to understand your limits as a person. Cisco Live is a three-day event, and it encompasses so many people, partners, workshops, CTFs (!!), and symposiums. I can confidently say that here on day three, I’ve had rarely a moment’s rest and, as they say, my dogs are barking.  

Speaking of dogs, did you know that at Cisco Live we have therapy dogs? Healing Hounds is a local Las Vegas therapy dog volunteer group, and Splunk sponsored them this year. Every two hours, the goodest boys and girls rotate in and you can stop what you are doing to immediately go give them pets. Look at these cute faces. LOOK AT THEM.

Back to limits. One thing I’ve discovered is that conferences like this can be loud. I don’t mind loud. Loud is fine. But eight hours of noise at high levels is stressful. So, I use my Apple AirPods in noise cancelling mode, and it keeps even a massive conference like CLUS to a very manageable dull roar. If you own a pair, or any earplugs, trust me. Use them. It’s not going to shut out the world, but it will give you more stamina in an environment with bright lights and loud noises.

With that much stimuli for an extended period, you must create some space for yourself. Conferences that have quiet or chill spaces, shout out to you! A place for humans to find a moment of rest in the endurance contest that is a technology convention is a wonderful thing.

So what is the vibe at CLUS? AI. All the AI. Not from a product perspective, but from an infrastructure and security perspective. How do folks plan to move and manage that much data, especially in an agentic world? It’s a hot debate, given what I’ve listened to so far. Every business is struggling with it in their own ways, and conferences like CLUS are good opportunities to put those companies in the same room and ideate on ways to process and defend in an AI world. We’re talking many hundreds of zettabytes of data daily, the kind of data pipelines the entire world runs on. At that scale, the challenge is just wild and almost incomprehensible. I’m glad I could help and be a part of those discussions.

As the summer starts, the great patchening is coming as vendors start issuing rapid patches and CVE advisories. This is the quiet before the storm, so enjoy these cute dog photos! Black Hat and DEF CON are around the corner, as well! And always find time during these fire drills to take care of yourself, and if you can, pet some dogs.

The one big thing 

Cisco Talos is expanding our Threat Hunting program to proactively track down advanced adversaries who deliberately slip past traditional detection thresholds. By combining AI-driven telemetry analysis with human expert validation, we continuously hunt for hidden threats across endpoint, network, and identity data. This hypothesis-driven approach allows us to identify complex intrusions — like a recent KongTuke command-and-control (C2) discovery — before a formal detection signature even exists. 

Why do I care? 

Most security tools operate on a simple principle: If a known-bad pattern appears, fire an alert. But as threat actors increasingly leverage AI to move faster and intentionally stay under the radar, relying solely on automated alerts leaves massive blind spots. Hypothesis-driven hunting addresses this gap by correlating weak signals across an environment, allowing defenders to piece together ambiguous anomalies and uncover sophisticated intrusions that would otherwise go unnoticed. 

So now what? 

If your team lacks the dedicated headcount for continuous hunting, Cisco Talos Threat Hunting can bridge the gap. Reach out to your Cisco account team, explore our new dedicated portal in Cisco Security Cloud Control, and read the full blog for a detailed breakdown of our recent KongTuke C2 investigation. 

Top security headlines of the week 

Global stock exchange hit by monthslong email campaign 
A threat actor got a near-continuous view into an influential finance executive's email inbox, thanks to clever use of legitimate, native Windows tools. (Dark Reading) 

One-click GitHub dev attack lets attackers steal full GitHub OAuth tokens 
The vulnerability allows attackers to install malicious VS Code extensions that steal GitHub OAuth tokens when they are passed to GitHub.dev by exploiting a message-passing mechanism between the main VS Code window and webviews. (The Hacker News) 

FBI-flagged phishing kit “Kali365” expands its reach 
Once targeting just Microsoft 365, the phishing-as-a-service platform now aims at AWS, Okta, and Russian platforms, while relying on device code phishing. (Dark Reading) 

Dozens of Red Hat packages backdoored through its official NPM channel 
Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said. (Ars Technica) 

“HTTP/2 Bomb” exploit knocks web servers offline in seconds 
The attack potentially affects over 880,000 websites that support HTTP/2 and run default NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora configurations. (SecurityWeek) 

Can’t get enough Talos? 

Winning the cyber marathon with Tony Giandomenico 
In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins me to discuss Talos Threat Hunting, the challenges of leading major product launches, and the grueling discipline of Ironman triathlons. 

When synthetic logs don’t lie: Generating coherent attack stories for better detection 
Are your detection rules failing because your test data lacks the nuance of a real-world network?  In this episode of Talos Takes, Amy sits down with David Bianco to discuss why traditional synthetic data often falls short and how his new open-source project, EvidenceForge, is changing the game. 

Upcoming events where you can find Talos 

• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 
• Black Hat USA (Aug. 1 – 6) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe 
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
MD5: bf9672ec85283fdf002d83662f0b08b7  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe 
Example Filename: f_000b97.html  
Detection Name: W32.C0AD494457-95.SBX.TG 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638  
Example Filename: AutoPico.exe  
Detection Name: PUA.Win.Tool.Kmsactivator:: 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
Example Filename: d4aa3e7010220ad1b458fac17039c274_62_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg**

In the high-speed world of cybersecurity, the difference between a breach and a breakthrough often comes down to endurance. Tony Giandomenico, Senior Director of Product Management with Cisco Talos, joins me to discuss how he balances the intensity of leading major product launches with the grueling discipline of Ironman triathlons.

Beyond the technical specs and new threat hunting features, this conversation dives deep into the human side of leadership. Tony shares his hard-won lessons on the power of communication, the importance of knowing your "why," and how to navigate the complexities of a 30-year career without losing your focus.

Amy Ciminnisi: You have been in the thick of the cyber security world for a while now, and a lot of things have shifted in this field. So what has been the biggest surprise for you, and what keeps you excited about leading the charge on the product side?

Tony Giandomenico: Well, I would probably say that the biggest shift over the last six months has been the increase rate of the capabilities of these frontier models. I'm the first one not to jump on the bandwagon of this stuff, because I've been doing this for about 30 plus years or so, but I think this feels a little different. The capabilities are increasing, and I think what that means to cybersecurity is a big shift. How do we deal with all that? From the adversary side, they're actually breaking in the networks like they typically do. They're moving laterally within the environment. They're evading different types of security controls. Finding vulnerabilities, exploiting those vulnerabilities, all of that stuff.

It's also going to be supercharged on the defensive side. Of course, you don't bring a knife to a gun fight, right? You're going to use the same AI technology — you know, the same frontier models — to speed things up there as well. From the product management side, I think we're going to see the things that we would have previously seen five years down the road a lot sooner. And that's kind of that's what kind of excites me about everything — that opportunity to explore the art of possibility is a lot more at your fingertips where it wasn't necessarily before.

AC: We specifically lined this episode up with the Cisco Talos Threat Hunting launch, which you played a major role in. For people who aren't familiar, can you explain what it is?

TG: Threat hunting is where we're looking for different types of threats that are circumventing our existing security control alerts, detection mechanisms, and so on. When defenders invest in these different types of technologies that are automatically detecting alerts or threats in your environment, the challenge that they have is the sensitivity meter. If they set it to be too high, the team might get inundated with false positives, and then that particular product isn't really worth that investment because you're constantly have to investigate those. So the sensitivity meter has to find some place in the middle. That's where it gives these stealthy threat actors a place to live. So you have a combination of AI and human-in-the-loop services, where we build hypotheses to identify actors that may have actually already circumvented your security controls.

Currently, we're hunting in the endpoint telemetry side (e.g., Secure Endpoint) that we offer our customers today. With this expansion, we're expanding it out to our flagship firewall product. So we'll be hunting within Secure Firewall as well as identity, which actually includes Duo and CII, which is Cisco Identity Intelligence.

AC: How do you keep your cool and stay focused on the why behind the work when you're dealing with the intensity of a major launch?

TG: Before coming to Cisco, I had a small cybersecurity consulting company for about 10 years or so out in the Hawaiian Islands. I had the domain expertise, but I had to learn financial aspects, sales, and marketing. I also had to understand what makes people tick. I wasn't able to talk to every individual the same way to get them on board with things. So the biggest thing that I took away when I went from running my business to working in a larger organization was that when folks are in different departments, there are competing priorities and I have to influence them. I have to get them to understand and believe in the vision. So if you go in there with that mindset, knowing that it's not going to flow exactly how you envisioned, things just work out.

Want to see more? Watch the full interview, and don’t forget to subscribe to our YouTube channel for future episodes of Humans of Talos.

By Ron Scott-Adams

Most security tools operate on a simple principle: If a known-bad pattern appears, fire an alert. This works well enough for many threats, but it fails against adversaries who closely study detection thresholds and deliberately stay under them. 

Cisco Talos Threat Hunting operates on a different principle. Instead of waiting until we’re sure we can cross an alerting threshold, we start with a hypothesis about what specific adversary behavior would look like in the telemetry, and then search for it. Using both AI and human-driven processes, including pioneering hunts built from Talos’ latest threat research, we continuously search for threats that traditional detection misses.

These hunts operate at the leading edge of our intelligence, where patterns are compelling but require expert judgment to distinguish from benign activity. Talos threat analysts provide this judgement to ensure maximum fidelity for your threat landscape. 

This post covers how that works in practice.

Hypothesis-driven hunting vs. alert-driven detection 

A detection rule says, "If X happens, alert." A hunt hypothesis says, "Given this specific threat actor uses these specific techniques, what would those techniques look like in this specific telemetry source?" 

The distinction matters because it inverts the workflow. Detection requires prior knowledge encoded into a rule. Hunting requires only a plausible theory about adversary behavior and the telemetry to test it against. 

Our hypotheses come from multiple sources: active threat intelligence on adversary tradecraft, findings from Cisco Talos Incident Response engagements, and patterns observed across global telemetry from nearly 50 million sensors. When Talos sees a new technique in the wild, we can build a hunt for it before a detection signature exists.

Here are a few examples of these threat hunts:

• Python User-Agent connections to malicious ASN infrastructure. Legitimate Python HTTP requests exist in most environments, but Python calling out to hosting providers with poor reputation scores is a different signal entirely. 
• MSIEXEC User-Agent making connections to suspicious or malicious ASNs. MSIEXEC fetching remote packages is a known living-off-the-land (LOTL) technique. The user-agent string persists in firewall connection logs even when the payload itself is encrypted. 
• Domain generation algorithm (DGA) detection via AI/ML. Algorithmically generated domains have statistical properties (character distribution, entropy, n-gram frequency) that distinguish them from human-registered domains. Our models flag DNS queries that match these patterns. 
• Connections to EVILEMPIRE ASN ranges. Certain autonomous systems have a long, documented history of hosting command-and-control (C2) infrastructure. Outbound connections to these ranges warrant investigation regardless of the specific destination IP. 
• User-Agent and application outliers. Baseline what's normal for an environment, then surface what deviates. A curl binary running on a finance team's workstation at 2am is not the same signal as curl running in a CI/CD pipeline. 
• Endpoint detection and response (EDR) research findings correlated with network indicators of compromise (IOCs). When endpoint telemetry reveals a new threat, the associated network indicators become hunt targets across firewall data for all customers.

Each of these hunts runs continuously. The AI engine executes them at scale, 24 hours a day, across all enrolled customer environments. It surfaces candidates. Then a human analyst investigates.

Case study: KongTuke C2 discovery through multi-domain correlation 

The value of correlating telemetry across security domains is easiest to explain with a real example. During a recent engagement with a customer, Talos analysts identified active KongTuke C2 activity by combining firewall and endpoint data in a way that neither source could have accomplished alone. This is the kind of continual awareness we are seeking to bring to customers everywhere with Talos Threat Hunting.

What the firewall showed 

Cisco Secure Firewall telemetry recorded outbound ConnectionEvents to “144.31.221.82” on port 6060, with a URL path of /capcha9856. This pattern is consistent with a Traffic Direction System (TDS) infection, where a compromised website redirects visitors through a chain of intermediate servers before landing on a malicious payload host. 

The firewall gave us the "what" and "when" — a specific device was reaching out to known-bad infrastructure at a known time. But the firewall alone could not tell us how the connection was initiated or what happened next on the host.

What EDR added 

Pivoting to Cisco Secure Endpoint data for the same DeviceIP, we pulled the full process history around the time of the connection. The endpoint telemetry revealed:

1. A cmd.exe process spawning powershell.exe with an -EncodedCommand parameter containing a Base64-encoded payload 
2. The decoded payload executing Invoke-WebRequest to fetch a file named script.ps1, dropping it into the user's ApplicationData directory 
3. A separate curl.exe process making requests to the same C2 infrastructure the firewall had flagged 
4. Post-execution cleanup via Remove-Item, attempting to delete traces of the downloaded script

Why neither source alone was sufficient 

The firewall saw an outbound connection to a suspicious IP. That's useful, but not conclusive on its own. Hundreds of legitimate services might generate similar connection patterns. The EDR saw obfuscated PowerShell execution. That's suspicious, but without the network context confirming the destination was a known C2 server, it could be a false positive from an overzealous admin script. 

Together, they told a complete story: initial compromise via TDS redirect, payload delivery through encoded PowerShell, C2 communication confirmed by both endpoint process tree and network connection logs, and active evidence of anti-forensics (file cleanup). This is a confirmed intrusion with clear remediation steps, not an ambiguous alert requiring hours of analyst triage. 

Broader sweep 

Once we had the process hashes and file paths from EDR, we searched across the full customer environment for other hosts exhibiting the same behavior. This turned a single finding into a scoped understanding of how far the compromise had spread.

How AI and human analysts divide the work 

Talos Threat Hunting runs on a hybrid model where each component does what it's best at. 

The AI engine handles volume and persistence. It executes hundreds of hunt hypotheses continuously across all customer environments. It applies statistical models (DGA detection, behavioral baselining, anomaly scoring) to telemetry streams at a scale no analyst team could match. Its job is to reduce the search space by taking the full volume of telemetry and surfacing the subset that warrants human attention. 

Human analysts handle context and judgment. A statistical anomaly is not the same as a confirmed threat. Analysts validate findings by correlating across data sources, applying knowledge of the customer's environment, and making determinations that require understanding adversary intent. When an analyst confirms a finding, the customer receives a written notification explaining what was observed, why it matters, how it maps to known techniques (MITRE ATT&CK or equivalent), and specific remediation guidance. 

This is not "AI finds threats and humans approve them." The AI surfaces candidates from a space too large for humans to search manually. Humans then do investigative work that AI cannot always reliably perform: understanding whether a particular behavior is malicious or benign given the full operational context of that specific environment.

The feedback loop: Hunting improves detection 

Every confirmed finding is first reported to the customer, then evaluated for a second question: “Should this have been caught by automated detection?” 

If the answer is yes, that means a detection gap exists. Maybe a rule needs tuning, a sensor configuration needs adjustment, or the customer's policy allows something that creates unnecessary exposure. In each case, the finding feeds back into product improvement or customer-specific configuration recommendations.

This creates a cycle: Intelligence drives hypotheses, hypotheses drive hunts, hunts produce findings, findings improve detection, and better detection raises the bar for what qualifies as "between the alerts." The space we hunt in gets harder to exploit over time. 

What this means for your security team 

If you have a mature SOC, this covers the ground your team is not currently reaching. These hypotheses are built from global threat intelligence, executed continuously, across telemetry your analysts may not have time to proactively search. The findings are validated before they reach you, so they add signal without adding noise. 

If you are running a lean security operation, this provides a hunting capability that would otherwise require dedicated headcount, specialized tooling, and the institutional knowledge to know what "normal" looks like well enough to spot deviations. 

Either way, the output is not more alerts. It's written findings with context, mapped to adversary techniques, with clear next steps that you can act on directly. To learn more, contact your Cisco account team and explore what’s possible with Cisco Talos.  

Some products or features described may be in various stages of development and offered on a when-and-if available basis. Cisco reserves the right to change delivery timelines and will have no liability for any delays or failures to deliver.  

Welcome to this week's edition of the Threat Source newsletter. 

Recently, Martin closed his introduction with a warning: Ready or not, the time of much patching is coming. I've been chewing on that one for a while because I'm rethinking my own enrichment pipelines along these lines, and the questions Martin raised are the ones I keep running into — with one or two ideas on what practitioners can actually do about it. 

Honestly speaking, most of us are still prioritising the wrong way. CVSS has been the default for over a decade — but it only answers one question: How bad could this be in theory? It's a severity score, not a risk score. A CVSS 9.8 on something nobody is exploiting (and nobody ever will) is a very different problem from a CVSS 7.2 that's being weaponised in the wild this morning. If your patch queue is sorted purely by CVSS, you'respending finite operations capacity on hypotheticals. 

This is where EPSS (Exploit Prediction Scoring System) earns its place next to CVSS. EPSS is a probability — between 0 and 1 — that a given CVE will be exploited in the next 30 days, based on real-world signals. The two answer different questions:

CVSS tells you how bad it would be if exploited. EPSS tells you how likely it is to actually happen to you soon. Used together, a high CVSS and a high EPSS is your "drop everything" pile, while a high CVSS and a very lowEPSS can probably wait behind a medium with an EPSS of 0.7. That single change in triage logic can meaningfully shrink the patch backlog without weakening your posture. 

The second ingredient is knowing what is actually being exploited — and here, many teams default to CISA's KEV catalog. KEV is excellent, and I've quoted KEV numbers in this newsletter more times than I can count. CISA contributes as an Authorized Data Publisher (ADP) in the CVE Program, enriching records alongside the original CNA's data. That model works well, but it's also why KEV is structurally centralized, conservative in what it admits, and naturally scoped to what U.S. federal visibility surfaces. For a global practitioner — and writing this from Germany, I notice — "Is this being exploited?" deserves a broader lens. 

That broader lens is starting to take shape with GCVE (Global CVE), a decentralized approach to vulnerability identification and enrichment. Two properties matter for the surge that's coming: 

1. Speed of enrichment. Because GCVE is decentralized, enrichment data — references, affected products, exploit indicators — doesn't have to wait in a single queue. In practice, actionable context arrives meaningfully faster than the traditional NVD pipeline, which has visibly struggled with backlog over the past two years. 
2. Broader exploitation signal. Rather than a single authoritative list of what is being exploited, GCVE makes room for multiple sources of exploitation evidence to surface against the same identifier. That gives defenders outside the U.S. (and frankly, inside it too) a more complete picture than KEV alone. 

Pair that with EPSS on top of CVSS, and you end up with a triage stack that is faster, broader, and probability-informed rather than only severity. 

None of this removes the patching workload that is coming, but it does change which patches you sprint on at 2:00 a.m. and which ones can ride the normal cycle. Before the surge arrives, that's a worthwhile thing to get right.

The one big thing 

Cisco Talos released EvidenceForge, a new open-source tool designed to generate highly realistic, correlated synthetic security logs. This tool solves the chronic shortage of high-quality, labeled datasets needed to train threat hunters and validate detection logic. By using a single canonical event model and AI-assisted scenario authoring, EvidenceForge ensures causal and temporal consistency across more than 20 log formats. 

Why do I care? 

Relying on heavily scrubbed public datasets or red team engagements often leaves security teams with incomplete telemetry. While most synthetic generators spit out independent events that fail to tell a coherent story, EvidenceForge injects realistic background noise, red herrings, and proper causal sequencing into the mix. This allows your team to work with synchronized datasets that (more) accurately mimic real-world network visibility without the compliance headaches of using production data. 

So now what? 

Security teams can head over to GitHub to clone the EvidenceForge repository and use its guided conversation feature to build custom attack scenarios. Defenders can then use these newly generated datasets to build robust SOC analyst training programs, stress-test a new SIEM, and validate detection pipelines before they touch a production environment. You can find the full details and the link to the open-source repository in the blog post. 

Top security headlines of the week 

Lawmakers demand answers as CISA tries to contain data leak 
Lawmakers are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after a contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. (KrebsOnSecurity) 

Over 5,500 GitHub repositories infected in “Megalodon” supply chain attack 
The campaign relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets. The workflows were injected through over 5,700 malicious commits pushed to the impacted repositories on May 18. (SecurityWeek) 

Authorities seized 800 servers of hosting company used to launch cyber attacks 
The investigation centers on a web hosting company established on Feb. 10, 2022, weeks before Russia invaded Ukraine. The infrastructure was allegedly used to support cyber attacks, disinformation campaigns, and sanctions evasion linked to Russia. (CyberSecurityNews) 

Content delivery exploit opens websites to brand hijacking 
The Underminr domain-fronting attack allows threat actors to modify web requests and leverage trusted websites to cloak malicious activity. (Dark Reading) 

Cisco’s risk-based vulnerability disclosure in the age of AI 
Cisco is adapting its vulnerability disclosure practices, focusing on increasing the visibility of detailed technical information for vulnerabilities that are critical, actively exploited, or have a higher likelihood of exploitation. (Cisco blog) 

Can’t get enough Talos? 

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap 
Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. Our latest white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. 

MediaArea heap-based buffer overflow vulnerabilities 
MediaArea produces digital media analysis open-source software, as well as support tools for file investigation. Talos discovered four vulnerabilities in MediaInfoLib, which provides a UI for technical and tag data for video and audio media files.

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Upcoming events where you can find Talos 

• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe  
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe  
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe 
Detection Name: PUA.Win.Tool.Kmsactivator::1201 

Over the last decade, DICOM parsing has become an active research topic. The reason is simple: DICOM is both critical and complicated. Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. That means malformed data could directly trigger vulnerable decoders — the holy grail of attack surfaces for those studying robustness.

This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. The objective is to show how an Orthanc server can be targeted during the image upload process, resulting in an out-of-bounds write.

DICOM, Pydicom, GDCM,
and Orthanc

A technical tour of what really happens
in the heap

Download now

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed four vulnerabilities in MediaArea MediaInfoLib library.

The vulnerabilities mentioned in this blog post have been patched by their respective vendor, in adherence to Cisco’s third-party vulnerability disclosure policy.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

MediaArea vulnerabilities

Discovered by Dimitrios Tatsis of Cisco Talos.

MediaArea produces digital media analysis open-source software, as well as support tools for file investigation. MediaInfoLib provides a UI for technical and tag data for video and audio media files. Talos discovered four vulnerabilities in MediaInfoLib.

TALOS-2026-2367 (CVE-2026-25104), TALOS-2026-2368 (CVE-2026-25713), TALOS-2026-2371 (CVE-2026-28764), and TALOS-2026-2374 (CVE-2026-22554) are heap-based buffer overflow vulnerabilities in various functionalities of MediaInfoLib (version(s): 26.01). All can lead to arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

Good data is hard to find... and to create

A lot of important work in security depends on having realistic log data to work with, and a lot of that work gets blocked, watered down, or quietly skipped because the data just isn’t available. The use cases come up constantly: teaching threat hunters, incident responders, and detection engineers with datasets that have known ground truth; validating that a detection fires on the right activity without drowning in false positives; and training ML models that need labeled, balanced, multi-source telemetry at scale.

These are different problems with the same root cause. You need realistic, labeled security logs and you can’t get them easily. The options are limited:

• Real production telemetry is a compliance problem. Public datasets are often so heavily anonymized they no longer resemble the original log sources. The LANL dataset and OpTC are well-known examples of data scrubbed to the point of being generic event representations rather than actual telemetry. What isn’t anonymized is stale, narrow, and over-recycled.
• You can generate data yourself using attack simulation frameworks like Atomic Red Team or MITRE Caldera, but that requires real infrastructure, is time-consuming to operate, and scales poorly when you need variety. 
• You can hire a red team, which trades complexity for money but still takes weeks and produces only the specific scenario they ran. 

Synthetic generators seem like an obvious solution and many existing ones are genuinely useful tools, but they share a common architectural limitation: They generate events independently, one format at a time, with no shared state across log sources. The result is datasets where events don’t tell a coherent story. For example, a process in Sysmon doesn’t connect to the same process in standard Windows logs, or a network logon doesn’t leave a consistent connection trace. More capable tools support attack chains and MITRE ATT&CK mapping, but even then, they generate individual events rather than simulating something that happened, with all the prerequisite and consequent evidence that real activity would produce. Realistic background noise is largely absent.

What analysts detect when they call data synthetic is the absence of a coherent causal story. The logs don’t line up because they emit each log entry independently from the others, and they are not modeling a series of connected events.

The answer: A new kind of synthetic data

EvidenceForge is a new open-source project from Cisco Talos that approaches the problem differently. It features a single canonical event model, causal ordering, realistic background noise, and AI-assisted scenario authoring. The result is a synchronized dataset across 20+ log formats (Windows, Linux, network, and endpoint detection and response [EDR] telemetry), complete with ground truth documentation and an analyst briefing.

One honest note: No purely synthetic dataset will fool a seasoned analyst in every case, but that’s okay. The goal is fidelity that’s good enough to be useful, not something that’s indistinguishable from production.

The core idea: One event, many formats 

Most synthetic log generators are a collection of independent emitters. Each one knows how to produce its own format but doesn’t share state with the others. You can see the seams the moment you cross-reference across sources. 

EvidenceForge inverts that. Every piece of evidence flows from a single canonical SecurityEvent object. That object carries a timestamp and event type, plus over 30 composable context objects populated as needed: ProcessContext (PID, parent PID, image, command line), NetworkContext (src/dst IP and port, Zeek UID, shared across Zeek, EDR, and SNORT®), AuthContext (username, LogonID, logon type, result), DnsContext and HttpContext (protocol-layer detail that fans out into the corresponding Zeek log types), and many more. Emitters read only the fields relevant to their format.

The consequence of shared contexts is that emitters cannot disagree. There is one PID, one LogonID, one timestamp, and one Zeek UID. The engine is also OS-aware: Windows hosts produce Security Events and Sysmon while Linux hosts produce syslog and bash history, each according to the OS assigned to each host in the scenario. 

All of this is driven by a scenario configuration file: a YAML document describing the environment (hosts, users, network topology) and an optional attack storyline. The engine reads that file and produces the correlated dataset. 

What the engine produces 

From a single scenario, EvidenceForge generates several correlated log formats:  

• Windows Security Events (30 event IDs covering authentication, process lifecycle, Kerberos, persistence, account management, and more) 
• Sysmon (10 event IDs) 
• EDR/XDR telemetry 
• Linux syslog 
• bash history 
• Zeek logs in JSON format 
• Snort IDS alerts 
• Firewall logs 
• Web server access logs 
• Forward HTTP proxy logs 

The exact output logs depend on a combination of the components in the simulated environment, and which log sources you may have opted to disable. 

Every attack scenario also produces two companion documents.  

• “ENVIRONMENT.md” is an analyst briefing consisting of organizational context, network layout, user roles, naming conventions — everything an analyst would need before diving into the logs, with zero information about the attack itself.  
• “GROUND_TRUTH.md” documents exactly what happened including a narrative, a timeline, and key IOCs. 

Causality, not just sequence 

Real logs are both temporally and causally ordered. Before a domain logon, there’s a Kerberos TGT, then a TGS. Before a TCP connection to a hostname, there’s a DNS query. This is the physics of how the protocols work.

EvidenceForge ships with a composable rule engine that auto-generates prerequisite events with realistic timing offsets so that each event sits exactly where an analyst would expect to pivot to it: 

• A logon in the scenario expands to the Kerberos exchange that made it possible. 
• A connection to a named host gets the DNS resolution inserted beforehand. 
• A privileged admin command generates downstream audit events. 

Network visibility is a first-class concept 

Most synthetic generators are too visible, meaning that every connection gets a log, regardless of whether a sensor would have seen it. Real networks don’t work that way. Traffic between hosts on the same VLAN may never cross a SPAN port. East-west traffic in a segmented network may be invisible to perimeter sensors. A TAP at the internet edge sees outbound traffic but nothing internal. 

EvidenceForge lets you declare sensor placement in the scenario: SPAN or TAP, monitored segments, and direction. The engine determines which connections each sensor could realistically observe and only emits network logs where they’d actually appear. If your environment has a monitoring gap, the generated data has that same gap, which is exactly the kind of thing analysts need to learn to reason about.

AI co-develops the story; a script generates the evidence 

The hard part of realistic synthetic data is scenario design, not generation. Describing a coherent attack lifecycle with the right tactics, techniques, and procedures (TTPs); realistic sequencing; and plausible actor behavior requires research and protocol knowledge most people don’t carry in their heads.

EvidenceForge addresses this with Claude/Codex skills. You bring intent (an attack type, an environment, a training objective), the AI brings research and technical scaffolding (a guided interview, MITRE ATT&CK TTP research), and together you collaboratively develop the attack narrative, resulting in a validated YAML scenario file.

The YAML is version-controllable, shareable, and editable. Once it exists, generation is entirely deterministic: a Python script reads the config and produces all the correlated log evidence.

This separation is the optimal balance of what each technology is good at. AI excels in narrative coherence, TTP research, and protocol knowledge. A deterministic script excels at the thousands of cross-referenced field values, causal prerequisite chains, and inter-format consistency checks that make up a realistic dataset. This would overwhelm even a capable LLM at scale, and hallucinated field values or subtle inconsistencies would undermine the whole point.

A typical scenario costs pennies in API calls to co-develop, and the data generates in seconds or minutes rather than the hours or days an LLM-based approach would require. EvidenceForge also produces identical output every run because randomness is seeded. Built-in validation checks the scenario for schema correctness and cross-reference integrity before generation runs, and the AI can automatically fix most errors it finds.

Making the background convincing 

Attack events are only useful if analysts have to work to find them. Noise quality matters as much as signal quality. 

EvidenceForge’s baseline engine generates several types of realistic background noise, including: 

• Legitimate lateral movement patterns (backup agents, monitoring tools, AD replication, application-to-database traffic) 
• User and application-driven network activity (web browsing, SMB file share access, RDP sessions, scheduled service polling) 
• Per-user diversified command pools, depending on user role 
• Red herrings (suspicious-looking events or patterns that are benign) 

Timing is just as important as content. Volume-level realism without burst-level texture still looks synthetic. EvidenceForge uses three complementary timing models:

• A Hawkes process for user activity, a self-exciting model where each event makes the next more likely for a short window, then decays, matching how people actually work in bursts
• A periodic envelope for large-scale structure (Monday login storms, Friday drop-off, and near-zero weekends)
• Periodic intervals plus jitter for modelling recurring automated events like scheduled tasks, background updates, and other system and service traffic 

Most timing details are exposed in the scenario or engine config files, so you can tweak them to make them as realistic as you like for your simulated environment. 

Getting started 

EvidenceForge is available on GitHub. Clone the repo and follow the install instructions in the README. 

The core experience is a guided conversation. Start the /eforge:scenario command and describe what you want. You can be as specific or as vague as you like. Bring a fully formed scenario and the AI helps translate it into a valid configuration; bring a rough idea and it asks the right questions, fills in the gaps, and makes suggestions until you have something technically coherent and satisfyingly realistic. From there, the skill leads you through validation, generation, and a brief automated data quality evaluation. You come out the other end with a complete, correlated dataset and companion documents. A full CLI is also available for scripted workflows.

What will you build? 

EvidenceForge removes the data bottleneck. The question becomes what you do with that. The following are just a few examples: 

• Build a SOC analyst training program with scenarios tailored to your environment. 
• Test detections against controlled, labeled datasets before they go near production. See whether they fire on the attack and how they behave against realistic noise.
• Generate the labeled training data your ML model needs.  
• Stress-test a new SIEM or detection pipeline against volume and variety you control. 
• Create repeatable practice exercises that can be regenerated on demand after tuning.

The scenarios themselves are shareable artifacts. A scenario developed for one team can be shared, adapted, or built on by others. The right mental model is high-fidelity training and testing data — not a production telemetry substitute — but within that framing, the use cases are broad.

Welcome to this week’s edition of the Threat Source newsletter.  

“It takes very little to govern good people. Very little. And bad people can’t be governed at all. Or if they could, I never heard of it.” ― Cormac McCarthy, No Country for Old Men 

Most of my career has been built on dichotomy: striving to be a supportive teammate while also pushing every boundary in front of me. I've often been told to “never do X, only do Y,” but I’ve invariably chosen to do X anyway (even when fraught with peril) to get to the deeper answer. For years, I was told that I should perform in certain ways — instead of in ways that made sense for my brain and way of learning. 

I wasn’t governable, but I wasn’t bad. Just ... challenging. While Sheriff Ed Tom Bell’s view of good vs. bad is compelling, maybe our careers should be defined as “acquiescent” vs. “challenging.” It’s less of an existential crisis that way. 

Over the past few years, I’ve been enjoying the mentoring aspect of my career. One of the things that I love to share with people is that being ungovernable is very challenging early in career; it’snot a favorite of middle management, but it can take you to places that you really want to be (i.e., Talos). The road is going to be longer and much bumpier than your governable cohort, but this is the long con. 

The path to Talos was long and arduous, but I've learned to make my career choices through the lens of the axiom, “If you’re the smartest person in the room, you’re in the wrong room.” It's been the only guidepost I’ve needed. I don’t know that it applies to everyone, because everyone is unique, but it absolutely helps me decide what I want to learn, what I want to dive into, who I want to surround myself with. 

The secret lies in the last comment — it's the people. If you continue to search for the smartest people in the room, you’ll find it and when you do, you’ll find that you aren’t ungovernable — rather, you’re understood. Be ungovernable (but kind) in the short term, find new ways to solve problems, think around solutions in new ways, program in different languages, and be the person in the meeting that says, “I think we should do Y instead, and here’s why.” 

I suspect that this is the same approach many of you already take in your daily roles when identifying threats vs. benign activity, choosing your pivots in hunting, or deciding the priorities in device replacement. It’s a natural direction for the intellectually curious, so be kind, but ungovernable. 

“The future of intelligence must be about search, while the future of ignorance must be about the inability to evaluate information.” ― Patricia Lockwood, No One Is Talking About This 

The one big thing 

Cisco Talos has recently discovered a commodity BadIIS malware variant fueling a thriving malware-as-a-service (MaaS) ecosystem for Chinese-speaking cybercrime groups. Identifiable by its embedded "demo.pdb" strings, this toolset boasts a multi-year development cycle complete with builder tools and persistence mechanisms. Threat actors are leveraging this robust framework to easily execute malicious search engine optimization (SEO) fraud, hijack server content, and redirect traffic to illicit sites. 

Why do I care? 

This is a highly active, commercially driven malware ecosystem. The author constantly pushes rapid updates to introduce new features and actively evade specific security vendors, making it a persistent headache for defenders. Because this BadIISvariant is sold as a commodity tool, it lowers the barrier to entry for cybercriminals, leading to widespread attacks that silently hijack server traffic without triggering obvious alarms. 

So now what? 

Defenders should actively monitor IIS environments for unauthorized traffic redirection, unexpected reverse proxying, or sudden spikes in "503 Service Unavailable" errors. Threat hunting efforts should also target the distinct "demo.pdb" strings and associated Chinese-language folder paths within IIS binaries. Ensure your endpoint detection solutions are updated to catch these reactive evasion tactics, and read the full blog for complete coverage and indicators of compromise (IOCs). 

Top security headlines of the week 

CISA exposes secrets, credentials in “private” repo 
A researcher discovered a public GitHub repository belonging to CISA that contained 844MB of sensitive data, including plain-text passwords, authentication tokens, and other secrets. (Dark Reading) 

NYC Health + Hospitals says hackers stole medical data and fingerprints, affecting at least 1.8 million people 
The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace. (TechCrunch) 

Bug bounty businesses bombarded with AI slop 
Companies that pay hackers to find flaws in their software are being inundated with low-quality (often false) reports generated by AI, forcing some to suspend the programs altogether. (Ars Technica) 

Four OpenClaw flaws enable data theft, privilege escalation, and persistence 
The vulnerabilities, collectively dubbed Claw Chain, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. (The Hacker News) 

New NGINX vulnerability allows remote attackers to trigger malicious code 
A new vulnerability in NGINX JavaScript (njs) allows unauthenticated remote attackers to trigger a heap‑based buffer overflow that can lead to denial‑of‑service and, in some conditions, remote code execution in the NGINX worker process. (Cyber Security News) 

Can’t get enough Talos? 

TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities 
Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital's Norton VPN. The vulnerabilities have been patched by their respective vendors. 

Webinar: AI found the problem. Now what? 
Experts from Talos and Cisco Security will examine how AI is changing the game for both defenders and well-resourced adversaries, and why the most persistent risks often remain rooted in unpatched legacy systems. 

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Upcoming events where you can find Talos 

• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

 SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: d87e8d9d43758ce67a8052cb2334b99cc24f9b0437ee44815f360be0b22d835a  
MD5: 362498c3e71eeaa066a67e4a3f981d1c  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d87e8d9d43758ce67a8052cb2334b99cc24f9b0437ee44815f360be0b22d835a  
Example Filename: TunMirror.exe  
Detection Name: PUA.Win.Tool.Tunmirror::1201 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f  
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f  
Example Filename: SECOH-QAD.exe  
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd  
MD5: 0f03f72a92aef6d63eb74e73f8ac201d  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=acd55c44b8b0d66d66defed85ca18082c092f048d3621da827fce593305c11fd  
Example Filename: KMSSS.exe  
Detection Name: PUA.Win.Tool.Hackkms::1201 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed eight vulnerabilities in TP-Link, and one each in Adobe Photoshop, OpenVPN, and Gen Digital's Norton VPN.

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, in adherence to Cisco’s third-party vulnerability disclosure policy, except the Norton VPN vulnerability, which was discovered in-use before a patch was available. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

TP-Link vulnerabilities

Discovered by Lilith >_> of Cisco Talos.

The TP-Link Archer AX53 is a dual band gigabit Wi-Fi router. Talos has disclosed eight vulnerabilities, as follows:

TALOS-2025-2302 (CVE-2026-30814) is a stack-based buffer overflow vulnerability in the tmpServer opcode 0x436 functionality of Tp-Link AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted set of network packets can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability.

TALOS-2025-2303 (CVE-2026-30815) is an OS command injection vulnerability in the OpenVPN configuration restore script_security functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary command execution. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2304 (CVE-2026-30816) is an external config control vulnerability in the OpenVPN configuration restore crt.sed functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary file reading. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2305 (CVE-2026-30817) is an external config control vulnerability in the OpenVPN configuration restore route_up functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary file reading. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2306 (CVE-2026-30818) is an OS command injection vulnerability exists in the dnsmasq configuration restore dhcpscript functionality of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary command execution. An attacker can upload a malicious file to trigger this vulnerability.

TALOS-2025-2307, TALOS-2025-2308, and TALOS-2025-2309 are OS command injection vulnerabilities in the OpenVPN configuration restore client_disconnect, client_connect, and route_up functionalities of Tp-Link Archer AX53 v1.0 1.3.1 Build 20241120 rel.54901(5553). A specially crafted configuration value can lead to arbitrary command execution. An attacker can upload a malicious file to trigger this vulnerability.

Photoshop vulnerabilities

Discovered by KPC of Cisco Talos.

Adobe Photoshop is a popular digital photo manipulation and illustration program with a wide array of features for personal and business use cases.

TALOS-2025-2274 (CVE-2026-34632) is a privilege escalation vulnerability in the installation process of Adobe Photoshop via the Microsoft Store. The vulnerable version of the installer is Photoshop_Set-Up.exe 2.11.0.30. A low-privilege user can replace files during the installation process, which may result in elevation of privileges.

OpenVPN vulnerabilities

Discovered by Emma Reuter of Cisco ASIG.

OpenVPN is an open source SSL VPN with remote access, site-to-site VPNs, WiFi security, enterprise load balancing, failover, and granular access control features available.

TALOS-2026-2381 (CVE-2026-35058) is a reachable assertion vulnerability in the TLS Crypt v2 Client Key Extraction functionality of OpenVPN 2.6.x and 2.8_git. A specially crafted network packet can lead to a denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability.

Gen Digital Norton VPN vulnerabilities

Discovered by KPC of Cisco Talos.

Gen Digital's Norton VPN client is a proprietary tool for private proxy network information exchange. 

TALOS-2025-2276 (CVE-2025-58074) is a privilege escalation vulnerability in the installation process of Norton VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files, possibly leading to elevation of privileges.

Mystery BadIIS containing “demo.pdb” 

Since 2024, Talos has investigated numerous attacks across the Asia-Pacific region (along with a few in South Africa, Europe and North America) that utilize a specific variant of BadIIS characterized by "demo.pdb" strings. While multiple security vendors are tracking the global spread of these variants, Talos' observed tactics, techniques, and procedures (TTPs) show notable divergences from those documented by other vendors like Trend Micro, Ahnlab, VNPT, and Elastic. Consequently, it is difficult to attribute these attacks to a single threat actor. However, we assess with moderate confidence that the "demo.pdb" BadIIS variant is a commodity tool utilized by multiple Chinese-speaking cybercrime groups. 

Insights from embedded PDB strings 

Although the core functionality of this BadIIS variant is largely limited to SEO fraud, content injection, and proxy‑based traffic manipulation, our investigation pivoted toward the malware’s embedded PDB strings. The consistent PDB path pattern offers much more intelligence value than the generic “demo.pdb” filename. The combination of a stable “Administrator\Desktop” build environment, Chinese-language folder names, and date-based versioning creates a highly reliable fingerprint for tracking and clustering this BadIIS version toolset. Beyond reinforcing our assessment that this is a commodity IIS malware family, the PDB paths enabled attribution to a possible customer name alias “x神” (“xshen”). Furthermore, the PDB artifacts reveal the existence of customized builds, some explicitly tailored to:

• Bypass specific antivirus products, such as Norton 
• Perform site‑wide hijacking 
• Redirect users conditionally based on browser language or environment

Prompted by these initial discoveries, Talos expanded our threat hunting efforts to identify similar PDB strings associated with this author with high confidence. The PDB paths extracted from these BadIIS variants reveal a sustained, multi-year development effort spanning from at least September 2021 to January 2026. By analyzing the developer's folder naming conventions, we can accurately map the malware's evolutionary trajectory, feature branching, and commercialization model.

Timeline and iterative maintenance 

Talos observed that the earliest explicit timestamp in the PDB paths is Sept. 30, 2021, indicating that the development of this specific toolset began on or before this date. The naming conventions observed in folders such as “dll0217”, “dll0301”, and “dll0315” (likely representing February 17, March 1, and March 15) demonstrate periods of rapid, sprint-like updates. Additionally, the “dll-no503” directory is particularly notable; it likely represents a troubleshooting build designed to resolve an issue where the malware caused IIS to throw "503 Service Unavailable" errors, which would otherwise alert server administrators to the infection. Finally, the latest observed compilation date, “dll20260106” (Jan. 6, 2026), confirms that this toolset remains actively maintained and deployed in the wild as of early 2026.

Feature branching and evasion tactics 

Talos also observed that the folder “兼容百度浏览器+劫持robots.txt” (“Compatible with Baidu browser + hijacking robots.txt”) explicitly confirms the malware's role in malicious SEO campaigns, specifically targeting the Chinese search engine ecosystem. Furthermore, the “2024-05-05-tcp" branch indicates a shift or enhancement in how the malware handles network traffic, potentially introducing custom proxying or SEO fraud communication protocols over raw TCP. Additionally, the inclusion of “过诺顿” (”bypass Norton”) in the build paths highlights a reactive development cycle, demonstrating that the author actively modifies the code to evade specific security vendor detections.

Below are the PDB strings Talos collected:

• C:\Users\Administrator\Desktop\2021-09-30\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\iis\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll0217\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll0217\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll0301\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll0301\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll0315\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll0315\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll-no503\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll-no503\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\兼容百度浏览器+劫持robots.txt\x64\Release\demo.pdb  
  (translation: “compatible with Baidu browser + hijacking robots.txt”) 
• C:\Users\Administrator\Desktop\2023-10-10\dll\Release\demo.pdb 
• C:\Users\Administrator\Desktop\2023-10-10\dll\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\2023-11-02\dll\Release\demo.pdb 
• C:\Users\Administrator\Desktop\2023-11-02\dll\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\2024-05-05-tcp\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\2024-05-05-tcp\Release\demo.pdb 
• C:\Users\Administrator\Desktop\J3\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll(cur)\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll(cur)\x64\Release\demo.pdb 
• C:\Users\Administrator\Desktop\2024-05-05-tcp(过诺顿)xshen\Release\demo.pdb  
  (translation: “bypass Norton”) 
• C:\Users\Administrator\Desktop\2024-05-05-tcp(过诺顿)xshen\x64\Release\demo.pdb  
  (translation: “bypass Norton”) 
• C:\Users\Administrator\Desktop\2025-11-21 (x神订制全站劫持按浏览器语言跳转)\dll\Release\demo.pdb  
  (translation: “xshen custom site hijacking: redirect based on browser language)” 
• C:\Users\Administrator\Desktop\2025-11-21 (x神订制全站劫持按浏览器语言跳转)\dll\x64\Release\demo.pdb  
  (translation: “xshen custom site hijacking: redirect based on browser language”) 
• C:\Users\Administrator\Desktop\dll20260106\Release\demo.pdb 
• C:\Users\Administrator\Desktop\dll20260106\x64\Release\demo.pdb

Builder architecture and BadIIS generation 

During our research into these BadIIS campaigns, Talos discovered a builder tool specifically designed for this malware variant. The threat actor utilizes this utility to generate configuration files, JavaScript redirectors, and PHP backlink scripts, as well as to inject custom parameters directly into the BadIIS malware. Figure 3 shows a screenshot of the builder's interface.

The observed builder is labeled as “version 1.0,” with an estimated original release year of 2021. However, the application header and compilation timestamp indicate that this specific artifact is an updated build compiled on August 22, 2022. The interface fields and configurable settings perfectly align with known BadIIS capabilities, which can be categorized into four primary functions: 

• Traffic redirection: The builder allows threat actors to input target URLs, typically JavaScript-based redirectors, designed to be injected into the victim's browser. This feature forcibly redirects legitimate user traffic to spam infrastructure, such as illegal gambling, adult content, or other malicious websites. 
• Reverse proxy: This feature manipulates how the compromised server interacts with search engine crawlers. When a crawler visits specific hidden URLs, the BadIIS malware acts as a reverse proxy, silently fetching illicit content from the threat actor's command-and-control (C2) backend and serving it to the crawler for indexing. Furthermore, the builder includes a toggle to enable this reverse proxy behavior globally, intercepting crawlers even if they do not visit the designated hidden URLs.
• Content hijacking: The builder includes a site hijacking function capable of replacing the compromised website's original content for both normal users and search engine crawlers. Threat actors can configure the hijacking rate (percentage of traffic affected), toggle whether the homepage is explicitly targeted, and supply a remote URL to dynamically fetch malicious title, description, and keyword (TDK) metadata. 
• Internal and backlinks setting: The final component configures the injection of internal links and external backlinks. Internal links force search engines to discover and index the spam pages hosted directly on the compromised server. Meanwhile, external backlinks siphon the compromised server's Domain Authority, passing that high reputation onto external illicit websites to artificially inflate their search engine rankings.

Furthermore, operating this builder is not a simple, single-click process. Prior to generating the final payloads, the threat actor must stage unconfigured 32-bit and 64-bit BadIIS binaries within the same directory as the builder. Upon initiating the build process, the builder generates a “config.txt” file based on the threat actor’s configured parameters.

It then attempts to authenticate with the C2 server by checking for the specific response string "lwxat". Although the builder does not enforce this validation step — continuing the payload generation process regardless of whether the authentication succeeds or fails — this specific network behavior is highly valuable. Notably, this unique authentication mechanism serves as a critical pivot point, enabling us to identify and attribute other tools developed by the same author.

The final step of the build process involves obfuscating the C2 server address using a single-byte XOR operation with the key 0x3. Once encoded, the builder embeds these addresses, along with all other configured parameters, directly into the final BadIIS malware under the output folder. This configured and output files are illustrated in Figure 7.

Advancement of the builder architecture 

Talos has been tracking multiple cybercrime groups, including those detailed in our previous reports on DragonRank and UAT-8099, that utilize various BadIIS variants to turn global web servers into compromised assets for search engine manipulation. The BadIIS variants deployed by those two groups primarily relied on hardcoded C2 infrastructure and statically compiled payloads to spread. However, the variant characterized by the "demo.pdb" strings represents a significant departure from these previous iterations.

Based on the recovered builder and PDB strings, Talos assesses with moderate confidence that this "demo.pdb" variant is commodity malware, likely sold privately or shared within underground markets. The architecture of this toolset suggests a modular, MaaS business model designed for continuous monetization. The malware developer can initially sell a basic version of BadIIS alongside the builder tool. If a threat actor later requiresan advanced, updated, or customized version (such as the “Norton bypass” or “custom site hijacking: redirect based on browser language” modules), they can request a bespoke payload from the developer and use their existing builder to inject the necessary configurations. Figure 9 shows the workflow Talos assessed.

Additional tools developed by same author 

By pivoting on the previously identified PDB strings and the authentication mechanism, Talos discovered that this author has developed a suite of additional tools designed to facilitate the installation of BadIIS on target machines. The observed PDB strings are listed below, followed by a detailed analysis of the differences between these tools and their respective capabilities.

• D:\vc\dll封装进exe\x64\Release\moduleinit.pdb  
  (translation: “DLL packaged into EXE”) 
• C:\Users\Administrator\Desktop\2024-05-28\install\x64\Release\install.pdb 
• C:\Users\Administrator\Desktop\install\x64\Release\install.pdb 
• C:\vc\service\Release\service.pdb 
• C:\vc\service\x64\Release\service.pdb 
• C:\Users\Administrator\Desktop\service\Release\service.pdb 
• C:\Users\Administrator\Desktop\bao\svchost\x64\Release\service.pdb 
• C:\Users\Administrator\Desktop\2024-05-26\svchost\x64\Release\service.pdb 
• C:\Users\Administrator\Desktop\x神的自安装服务\svchost\x64\Release\service.pdb
  (translation: “xshen self-installation service”)

Early service‑based installer 

Talos identified an additional tool that we assess with high confidence is linked to the same author. Upon execution, the tool verifies that it is running as a Windows service named “Winlogin.” If this condition is met, it initiates a two-stage C2 communication process. First, it connects to a primary C2 server for authentication. During this phase, the malware validates the connection by checking if the server's response matches the specific string "lwxat".

Once authenticated, it connects to a secondary C2 server to download and execute additional malicious payloads on the target machine. Furthermore, the malware uses double Base64 encoding to obfuscate the addresses of both C2 servers.

Configuration‑driven service installer 

Talos observed another service-based tool that dynamically locates and reads an external configuration file to deploy BadIIS onto target machines. This component serves the same operational purpose as the installation batch scripts traditionally observed in earlier BadIIS campaigns. Upon execution, the malware identifies its own absolute path and searches its current directory for a file named “config.txt”. This configuration file uses an XML-like syntax, employing custom tags such as “<globalModules>”, “<name>”, “<path>”, and “<cmd>”. The tool employs a custom parsing routine to segment the file based on these tags, extracting string arrays that dictate its subsequent actions. Using this extracted data, the malware dynamically assembles command-line instructions by iterating through the parsed modules and replacing placeholders like “{name}” and “{path}” with randomized DLL paths and command snippets.

During this assembly phase, the tool specifically prepares commands for both 32-bit and 64-bit BadIIS (e.g., appending “32.dll” /y and “64.dll” /y). These fully-formed commands are then executed, likely via cmd.exe /c, using a function designed to capture the command output.

Authentication and configuration‑driven unified tool 

The threat actor continues to update this tool, recently merging two distinct capabilities into a single binary. The malware still impersonates the Winlogin system service for registration and persistence, but it now utilizes a higher volume of command-line executions to successfully install the BadIIS payload. Notably, these command lines closely resemble the syntax used in earlier BadIIS batch scripts. To evade detection by security products, the tool obfuscates its command lines and parameters using a custom Base64 encoding algorithm. A list of the encoded strings and their decoded counterparts is provided below.

Based on the decoded strings and the tool's code structure, we can categorize the functionality of this upgraded tool into three primary areas. The first group of strings focuses on file discovery, searching for “module.txt”, “.dll”, and “.config” files. The “.config” and “.dll” searches serve the same purpose as in previous versions, targeting IIS configuration files and the BadIIS malware, respectively. The “module.txt” file likely acts as a staging file to temporarily store the IIS modules list before committing changes to the active configuration. Furthermore, this phase targets the “<globalModules>” and “<modules>” sections to register the malicious DLL at the server level. The second group handles payload registration; the tool utilizes specific XML nodes to inject its payloads into the IIS configuration, dynamically replacing placeholders (e.g., “{name32}” and “{path64}”) with actual values. Finally, the third group is responsible for locating the primary BadIIS DLL and establishing its backup location to ensure persistence. However, prior to executing its primary functions, the tool sends a request to the C2 server for authentication. The validation process remains identical to previous versions; the tool verifies the connection by checking if the server's response matches the specific string "lwxat".

Latest two‑stage installation toolset 

Talos observed that the latest version of the service installation tool is now separated into two distinct files. The workflow is shown in Figure 15.

The first file acts as the primary installer and begins by authenticating with the C2 server. Following successful authentication, it searches for the BadIIS malware, copies the payloads to specific primary and backup directories, and registers them within the IIS server module list to ensure persistence. Subsequently, it drops a secondary malware component, installing it as a Windows service. During our research, Talos observed this secondary malware impersonating legitimate services such as FaxService or AudiosService. Additionally, we recovered customization parameters and execution logs associated with this installer, which provided deeper insights into its overall capabilities.

The commands and parameters embedded in the install are also encoded. Below is a list of the encoded strings and their decoded counterparts.

The secondary malware component functions similarly to the previously described service tool. However, recognizing that security operations centers (SOCs) or antivirus products can easily quarantine or delete the primary BadIIS malware, the author has implemented a robust persistence mechanism. The installer now copies the BadIIS malware not only to the active directory used for hooking IIS requests and responses but also to a hidden backup location. This ensures that the malicious BadIIS is automatically restored and launched every time the compromised IIS server is restarted. The table below provides a list of the encoded strings and their decoded counterparts.

Module initialization dropper 

Alongside the service-based tools, Talos identified another utility that shares the same C2 authentication mechanism, custom Base64 encoding algorithm, and similar code structure. However, rather than operating as a persistent service, this tool functions primarily as a dropper designed to install the BadIIS malware onto the target IIS server. The embedded PDB string (“D:\vc\dll封装进exe\x64\Release\moduleinit.pdb”, which translates to "DLL packaged into EXE") explicitly confirms its purpose: packaging malicious DLL payloads within a standalone executable. The BadIIS are found in the resource and named as “IIS32” and “IIS64” (see Figure 17).

The drop location for this BadIIS malware is identical to the one used by the installation script previously documented by Trend Micro.

"lwxat": BadIIS author identification 

Through detailed analysis of numerous BadIIS samples, associated tools, and builder artifacts, Talos assesses with moderate-to-high confidence that the string "lwxat" is the author's alias or handle. This assessment is based on the following converging evidence: 

• Builder authentication mechanism: The BadIIS builder and service tool uses the string "lwxat" as a hardcoded match string within its authentication routine, suggesting the author embedded their identity into the tool's access control logic. 
• Configuration parameter: The string "lwxat" is used as the enable function parameter within the builder's “config.txt” file, further indicating authorship attribution embedded in the tool's operational configuration. 
• User-agent signature: Most notably, several BadIIS malware samples were observed using "lwxatisme" as a custom user-agent string during HTTP communications — a strong behavioral indicator that directly ties the malware to the "lwxat" persona.

Additionally, corroborating evidence was identified through PDB path strings found within certain samples. One PDB path contained the Chinese-language string:

This suggests that the author created a dedicated development folder for a user or client named "xshen" (x神), indicating that this particular BadIIS variant was a customized build tailored specifically for “xshen's”requirements that a full-site traffic hijacking with redirection logic based on the victim's browser language settings.

Collectively, these findings presence of "lwxat" across the builder's authentication, configuration, and in-the-wild user-agent strings, combined with the PDB path referencing a customized build for “xshen” and provide converging evidence indicating that "lwxat" is the primary developer or operator behind the BadIIS malware family, potentially offering customization services to other threat actors. 

Coverage 

The following ClamAV signatures detect and block this threat: 

• Win.Malware.BadIIS-10059971-0 
• Win.Malware.BadIIS-10059977-0 
• Win.Malware.BadIIS-10059984-0 
• Win.Malware.BadIIS-10059985-0

The following SNORT® rules (SIDs) detect and block this threat:  

• Snort2: 1:66400, 1:66399, 1:66398 
• Snort3: 1:66400, 1:301491 

Indicators of compromise (IOCs) 

The IOCs can also be found in our GitHub repository here.

Welcome to this week’s edition of the Threat Source newsletter. 

Many solutions have been proposed to reduce software bugs: zero-defect mandates, pair programming, formal methods, and mathematical software proofs. The reality is that software engineering is hard. Identifying and fixing bugs before they make it into production code is hard. Source code peer review and extensive unit testing have improved code quality, but bugs still get through. 

Not every bug is a vulnerability, and not every fault that appears to be a vulnerability can be usefully exploited. Nevertheless, through extensive testing and review, a skilled vulnerability researcher can still uncover faults in software that has already undergone rigorous quality assurance. However, skilled vulnerability researchers are a scarce resource and can only review so much software. 

AI is the great hope for improving software quality. Iterative improvements in AI's ability to find bugs mean that each new version of these systems is better than the last. We’re now at the point where AI, although still not as good as a skilled vulnerability researcher, can scan code to find errors at a scale and speed that human analysis cannot match. Used well, it can identify potential vulnerabilities before they reach production. 

In the long term, this is very good news. Better automated review and analysis of software is how we will improve code quality. However, in the short term, decades of technical debt and latent errors will be uncovered and will need to be addressed. To make things more complex, threat actors will have access to these same tools to search for exploitable vulnerabilities for their own ends. 

The result is likely to be a surge in patches. More vulnerabilities discovered means more fixes released, placing additional pressure on already stretched operations teams. Many of these patches will be urgent; some will address vulnerabilities that are being actively exploited. Without proper planning, the volume of fixes may outpace an organization's capacity to deploy them.

The surge of patches has yet to happen, but the first signs may already be visible. Now is an excellent time to consider how you prioritise patching, apply patches at scale, and manage systems that cannot be patched quickly — or at all. We can reflect on these questions now, and improve our processes, or we can flounder when the surge of patches arrives. Either way, ready or not, the time of much patching is coming. 

The one big thing 

In Cisco Talos’ latest blog, we outline the differences between responding to state-sponsored threat actors and handling commodity ransomware. These advanced adversaries log in using valid credentials and leverage your own trusted tools to remain invisible for months. Because their primary objectives are long-term espionage and pre-positioning rather than immediate financial gain, standard incident response playbooks are entirely inadequate.  

Why do I care? 

State-sponsored actors operate inside your trust boundary and aim to remain completely undetected. They have the patience and resources to map your infrastructure, exploit supply chain vulnerabilities, and blend their lateral movement into routine administrative tasks. If your security architecture assumes internal traffic is inherently trustworthy, these adversaries will exploit that gap to establish deep, persistent access across both IT and operational technology environments. Prematurely containing these threats can even tip off the attacker, causing you to lose critical intelligence and the chance to fully eradicate their foothold.

So now what? 

Shift to a zero trust architecture that continuously verifies access and plans for inevitable failures, starting with maximizing your visibility through centralized log aggregation and enabling Windows command-line and PowerShell script block logging. Prioritize identity management by enforcing multi-factor authentication on all administrative accounts and implementing a tiered access model. Update your incident response playbooks to specifically address living-off-the-land techniques, supply chain compromises, and the complex operational timing required for state-sponsored containment. Read the blog here for more information. 

Top security headlines of the week 

Linux bitten by second severe vulnerability in as many weeks 
The leaked exploit is deterministic, meaning it works precisely the same way each time it’s run and across different Linux distributions. It causes no crashes, making it stealthy to run. Install patches immediately. (Ars Technica) 

A DOD contractor’s API flaw exposed military course data and service member records 
The issue affected Schemata, an AI-powered virtual training platform used in military and defense settings. According to Strix, an ordinary low-privilege account was able to access data across multiple tenants. (CyberScoop) 

Fake OpenAI Privacy Filter repo hits No. 1 on Hugging Face, draws 244K downloads 
A malicious repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. (The Hacker News) 

TanStack, Mistral AI, UiPath hit in fresh supply chain attack 
The same as in previous campaigns, the worm targets sensitive information, including developer credentials, API keys, tokens, cloud credentials and secrets, cryptocurrency wallets, and more. (SecurityWeek) 

Official CheckMarx Jenkins package compromised with infostealer 
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. (BleepingComputer) 

Can’t get enough Talos? 

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Inside the SOC: AI-powered DNS defense against ransomware 
Learn how Cisco Talos' advanced AI-driven detection, including domain generation algorithm (DGA) analysis, integrates within Cisco Secure access to proactively identify and predict malicious domains. 

Clustering and reuse of phone numbers in scam emails 
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails.   

Upcoming events where you can find Talos 

• OffensiveCon (May 15 – 16) Berlin, Germany 
• Cisco Live U.S. (May 31 – June 4) Las Vegas, Nevada 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: d4aa3e7010220ad1b458fac17039c274_63_Exe.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
MD5: dbd8dbecaa80795c135137d69921fdba  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=e60ab99da105ee27ee09ea64ed8eb46d8edc92ee37f039dbc3e2bb9f587a33ba  
Example Filename: u112417.dat  
Detection Name: W32.Variant:MalwareXgenMisc.29d4.1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQ9305.dll  
Detection Name: Auto.90B145.282358.in02